Internet DRAFT - draft-hmntsharma-bmp-tcp-ao
draft-hmntsharma-bmp-tcp-ao
GROW H. Sharma
Internet-Draft Vodafone
Intended status: Informational 10 February 2024
Expires: 13 August 2024
TCP-AO Protection for BGP Monitoring Protocol (BMP)
draft-hmntsharma-bmp-tcp-ao-02
Abstract
This document outlines the utilization of the Transmission Control
Protocol - Authentication Option (TCP-AO), as prescribed in RFC5925,
for the authentication of Border Gateway Protocol Monitoring Protocol
(BMP) sessions, as specified in RFC7854. The intent is to heighten
security within the underlying Transmission Control Protocol (TCP)
transport layer, ensuring the authentication of BMP sessions
established between routers and BMP stations.
Discussion Venues
This note is to be removed before publishing as an RFC.
Source for this draft and an issue tracker can be found at
https://github.com/hmntsharma/draft-hmntsharma-bmp-tcp-ao.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 13 August 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
Sharma Expires 13 August 2024 [Page 1]
Internet-Draft TCP-AO Protection for BGP Monitoring Pro February 2024
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. TCP-AO Protection for BGP Monitoring Protocol (BMP) . . . . . 2
3. Security Considerations . . . . . . . . . . . . . . . . . . . 3
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3
5. Informative References . . . . . . . . . . . . . . . . . . . 3
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 3
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 3
1. Introduction
The BGP Monitoring Protocol (BMP), as specified in RFC7854, advocates
for the implementation of Internet Protocol Security (IPSec) from
RFC4303 to address security issues concerning the BMP session between
routers and the BMP station managing BGP route collection. This
document underscores the use of Transmission Control Protocol -
Authentication Option (TCP-AO) as the authentication mechanism
ensuring end-to-end authentication of BMP sessions between the
routers and the BMP stations. TCP-AO is also the choice of
authentication for TCP-based network protocols such as BGP and LDP.
A comprehensive discussion of TCP-AO is provided in RFC5925.
2. TCP-AO Protection for BGP Monitoring Protocol (BMP)
The BGP Monitoring Protocol (BMP) outlined in RFC7854 plays a crucial
role in network management by allowing routers to share information
about their BGP tables, helping operators monitor and troubleshoot
their networks effectively. However, the security considerations
associated with BMP have become increasingly critical in light of
evolving cyber threats. This document proposes that these concerns
be addressed by introducing a framework that utilizes the
Transmission Control Protocol - Authentication Option (TCP-AO),
specified in RFC5925, to safeguard BMP sessions.
Extending this security measure to BMP helps mitigate risks
associated with unauthorized access, tampering, and other potential
security vulnerabilities. By integrating TCP-AO into BMP
implementations, network operators can establish a more resilient and
trustworthy foundation for BGP monitoring activities.
Sharma Expires 13 August 2024 [Page 2]
Internet-Draft TCP-AO Protection for BGP Monitoring Pro February 2024
TCP-AO is not intended as a direct substitute for IPSec, nor is it
suggested as such in this document.
As outlined in section "3.2. Connection Establishment and
Termination" of RFC 7854, BMP operates as a unidirectional protocol,
meaning no messages are transmitted from the monitoring station to
the monitored router. Consequently, BMP lacks an effective means of
tracking a session between the router and the station. It relies on
the underlying TCP session, supported by TCP keepalives (RFC1122), to
maintain session activity. Therefore, it is recommended to
authenticate the end-to-end TCP session between the router and the
BMP station using TCP-AO.
3. Security Considerations
The security of the BMP session gets a boost with TCP-AO, seamlessly
implemented over the existing TCP transport, ensuring heightened
protection without any additional load.
4. IANA Considerations
This document has no IANA actions.
5. Informative References
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, DOI 10.17487/RFC5925,
June 2010, <https://www.rfc-editor.org/rfc/rfc5925>.
[RFC7854] Scudder, J., Ed., Fernando, R., and S. Stuart, "BGP
Monitoring Protocol (BMP)", RFC 7854,
DOI 10.17487/RFC7854, June 2016,
<https://www.rfc-editor.org/rfc/rfc7854>.
Acknowledgments
This document is an outcome of the experiences gained through
implementing BMP. While TCP-AO safeguards other TCP protocols, BMP
lacks the same level of protection within this context.
Author's Address
Hemant Sharma
Vodafone
Email: hemant.sharma@vodafone.com
Sharma Expires 13 August 2024 [Page 3]